Merge pull request #1228 from M00nF1sh/i_1227

redact oidc
kubernetes-sigs · Apr 18, 2020 · 4f1a9a2 · 4f1a9a2
2 parents b2a4dbf + 450c300
commit 4f1a9a2
Show file tree

Hide file tree

Showing 5 changed files with 144 additions and 1 deletion.
diff --git a/internal/alb/ls/listener.go b/internal/alb/ls/listener.go
@@ -160,7 +160,9 @@ func (controller *defaultController) LSInstanceNeedsModification(ctx context.Con
 		needModification = true
 	}
 	if !actionsMatches(instance.DefaultActions, config.DefaultActions) {
-		albctx.GetLogger(ctx).DebugLevelf(1, "listener defaultActions needs modification: %v => %v", awsutil.Prettify(instance.DefaultActions), awsutil.Prettify(config.DefaultActions))
+		albctx.GetLogger(ctx).DebugLevelf(1, "listener defaultActions needs modification",
+			awsutil.Prettify(redactActions(instance.DefaultActions)),
+			awsutil.Prettify(redactActions(config.DefaultActions)))
 		needModification = true
 	}
 	return needModification

diff --git a/internal/alb/ls/rules.go b/internal/alb/ls/rules.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"strconv"
 
+	"github.com/kubernetes-sigs/aws-alb-ingress-controller/pkg/util"
+
 	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/ingress/annotations/conditions"
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -576,3 +578,18 @@ func isUnconditionalRedirect(listener *elbv2.Listener, r elbv2.Rule) bool {
 	}
 	return false
 }
+
+// redactActions will redact sensitive information from actions, so it's safe for logging.
+func redactActions(actions []*elbv2.Action) []*elbv2.Action {
+	actionsClone := make([]*elbv2.Action, len(actions))
+	for index, action := range actions {
+		actionClone := &elbv2.Action{}
+		util.DeepCopyInto(actionClone, action)
+		if actionClone.AuthenticateOidcConfig != nil {
+			actionClone.AuthenticateOidcConfig.ClientId = aws.String("<redacted>")
+			actionClone.AuthenticateOidcConfig.ClientSecret = aws.String("<redacted>")
+		}
+		actionsClone[index] = actionClone
+	}
+	return actionsClone
+}
diff --git a/internal/alb/ls/rules_test.go b/internal/alb/ls/rules_test.go
@@ -3101,3 +3101,72 @@ func redirectActionConfig(override *elbv2.RedirectActionConfig) *elbv2.RedirectA
 	}
 	return r
 }
+
+func Test_redactActions(t *testing.T) {
+	type args struct {
+		actions []*elbv2.Action
+	}
+	tests := []struct {
+		name string
+		args args
+		want []*elbv2.Action
+	}{
+		{
+			name: "actions needs redact",
+			args: args{
+				actions: []*elbv2.Action{
+					{
+						AuthenticateOidcConfig: &elbv2.AuthenticateOidcActionConfig{
+							ClientId:      aws.String("my-client-id"),
+							ClientSecret:  aws.String("my-secret"),
+							TokenEndpoint: aws.String("endpoint-1"),
+						},
+					},
+					{
+						AuthenticateOidcConfig: &elbv2.AuthenticateOidcActionConfig{
+							ClientId:      aws.String("my-client-id"),
+							ClientSecret:  aws.String("my-secret"),
+							TokenEndpoint: aws.String("endpoint-2"),
+						},
+					},
+				},
+			},
+			want: []*elbv2.Action{
+				{
+					AuthenticateOidcConfig: &elbv2.AuthenticateOidcActionConfig{
+						ClientId:      aws.String("<redacted>"),
+						ClientSecret:  aws.String("<redacted>"),
+						TokenEndpoint: aws.String("endpoint-1"),
+					},
+				},
+				{
+					AuthenticateOidcConfig: &elbv2.AuthenticateOidcActionConfig{
+						ClientId:      aws.String("<redacted>"),
+						ClientSecret:  aws.String("<redacted>"),
+						TokenEndpoint: aws.String("endpoint-2"),
+					},
+				},
+			},
+		},
+		{
+			name: "empty actions",
+			args: args{
+				actions: []*elbv2.Action{},
+			},
+			want: []*elbv2.Action{},
+		},
+		{
+			name: "nil actions",
+			args: args{
+				actions: nil,
+			},
+			want: []*elbv2.Action{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := redactActions(tt.args.actions)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
diff --git a/pkg/util/deepcopy.go b/pkg/util/deepcopy.go
@@ -0,0 +1,14 @@
+package util
+
+import (
+	"bytes"
+	"encoding/gob"
+)
+
+func DeepCopyInto(to interface{}, from interface{}) {
+	buff := new(bytes.Buffer)
+	enc := gob.NewEncoder(buff)
+	dec := gob.NewDecoder(buff)
+	_ = enc.Encode(from)
+	_ = dec.Decode(to)
+}
diff --git a/pkg/util/deepcopy_test.go b/pkg/util/deepcopy_test.go
@@ -0,0 +1,41 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type structA struct {
+	Name string
+}
+
+type structB struct {
+	Name string
+	A    *structA
+}
+
+func TestDeepCopyInto(t *testing.T) {
+	obj := structB{
+		Name: "parent",
+		A: &structA{
+			Name: "child-1",
+		},
+	}
+	objClone := structB{}
+	DeepCopyInto(&objClone, obj)
+	obj.A.Name = "child-2"
+
+	assert.Equal(t, structB{
+		Name: "parent",
+		A: &structA{
+			Name: "child-2",
+		},
+	}, obj)
+	assert.Equal(t, structB{
+		Name: "parent",
+		A: &structA{
+			Name: "child-1",
+		},
+	}, objClone)
+}